Meerkat Finance Rug Pull

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 17:22, 23 February 2024 by Azoundria (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Meerkat Finance

The team at Meerkat Finance launched a smart contract which enabled future upgrades based on a private key they held. They then used the private key to upgrade the contract such that they could withdraw all of the funds.

It was only through the involvement of the Binance team that affected users were able to get their funds back.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15]


[16]

About Meerkat Finance

"Meerkat Finance was a protocol that focused on yield farming. It replicated the popular DeFi platform Yearn.Finance, although the former launched on Binance Smart Chain. On the other hand, Yearn uses the Ethereum blockchain, which is the most popular smart contract network for DeFi applications." "Meerkat was a yield vault project that forked Yearn.Finance’s code — one of many forks of Ethereum-native protocols that populate BSC."

"The DeFi project was drained of 13.96 million BUSD and 73,653 BNB (both Binance tokens), adding up to over $31 million in total." "This DeFi investment platform was barely debuting on the Binance Smart Chain (BSC) when the supposed hack happened." "Decentralized finance project Meerkat Finance has claimed it was drained of $31 million in crypto assets just one day after launching on the Binance Smart Chain." "The team behind Meerkat Finance, a yield farming pool running on the Binance Smart Chain that went live just one day ago, claimed in its official Telegram channel around 9:00 UTC on Thursday that its smart contract vault was compromised."

"The Meerkat’s BNB-BUSD Vault 1 was compromised. According to the reports, the hackers changed the ownership of the smart contract and started to withdraw the funds available there. This way, around $17.67m in BNB and $13.9 in BUSD were robbed."

"However, there are suspicions it may not be a simple case of a hack, as on-chain data points to the original Meerkat deployer’s account being used to alter the smart contract, per the report. Unless the project’s private key was compromised, this suggests it being carried out by Meerkat itself." "Backing up fears of an exit scam are the disappearance of Meerkat’s website and Twitter profile." "The Meerkat team initially responded to the transactions, claiming they were the result of an external hack. However, they have since been silent, with users unable to access the MKAT application or website." “This may be the largest fraud project on the Binance Smart Blockchain,” tweeted Wu Blockchain, a prominent Chinese crypto blogger.

"Distressed users reached out to Binance CEO Chanpeng Zhao, hoping that the CEO can track down the money. CZ has not replied to any comment on Twitter." "A Binance representative said in the exchange's official Chinese Telegram channel that they have noticed the abnormality of the Meerkat project and is working with auditing firms Certik, PeckShield and Slowmist to investigate." "It appears that victims have formed a "Meerkat_Rugpull" chat group on Telegram to post updates on the issue with 135 members already."

"At 5:30 AM UTC today, a Meerkat Finance developer identifying themselves as “Jamboo” posted a short message in a newly-created Telegram channel, “Meerkatrefunds.” In it, Jamboo said that the exploit was a “trial” testing user's greed and “subjectivity,” and that the team was preparing to refund all victims." "Jamboo provided proof of their association with Meerkat by sending a small transaction from the Meerkat deployer, demonstrating that they have access to the exploited contract (or communicates with someone who does). The transaction was processed on the Binance Smart Chain network roughly twenty minutes after Jamboo’s Telegram post."

"Members of the Meerkat Finance team carried out the exploit with a compromised smart contract using a key that belonged to the Meerkat Finance development team. This allowed the attackers, internal Meerkat Finance developers, to change the core business logic and withdraw users funds from the projects vaults and distribute them to new addresses in an attempt to run away with the stolen funds." "[T]he activity on the hacker addresses shows that the transactions are primarily conducted using DeFi avenues like PancakeSwap instead of moving to a centralized exchange."

"The legal team at Binance began the preparations for the legal pursuit of the suspect and any co-conspirators and sent a legal notice to the identified perpetrator, informing about the upcoming legal action. The attacker used the internal key in this exploit, which indicates that this might have been an inside job rather than an external attack."

"Shortly after the incident, Meerkat Finance launched a refund program under heavy pressure from the BSC community and its partners. Although the procedure is a bit complex and requires victims to interact directly with a new smart contract, as of this moment, at least 95% (~$30m) of users losses have been recovered successfully, with ongoing distributions to remaining victims." "This is historically the largest recovery of funds the Binance security team has participated in. We believe that every victim of this rug pull will receive their stolen funds back."

"In the past, the Binance security team has helped numerous community members recover lost funds, including a near-complete recovery of funds lost in another DeFi scam, valued at an estimated $344,000 USD, in November 2020."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Meerkat Finance Rug Pull
Date Event Description
March 4th, 2021 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $32,000,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

Of particular concern should be any backdoors into smart contracts which exist. In the wrong hands, these could enable a malicious modification of the contract.

Like anything else, the use of multi-signature setups and proper offline storage of keys are of paramount importance.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References